[us...@httpd] unsubscribe
<> - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [EMAIL PROTECTED] Sspi login prompts - enable more than one
-Original Message- From: André Warnier [mailto:[EMAIL PROTECTED] Or maybe this : would it be acceptable for your users to use a different hostname depending on wether they are inside or outside ? If yes, then it would be a bit easier : you could set up two Virtual Hosts (one for inside and one for outside) and have a different authentication method on each (sspi inside, another outside). That would at least avoid the issue of having two authentication methods working together. Your Virtual Hosts could share the same document space (DocumentRoot directory). Andre, the last option you mentioned above sounds doable but I have some questions. Do both point to the same domain name like intranet.org? Or do I have to have another domain name for outside? I guess I'm not sure how to have the intranet virtual host show up when in the network vs. the virtual host showing up when outside the network? How does the browser/server know which one to call up? I've printed out your explaination as well, it's really helpful thank so much. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Sspi login prompts - enable more than one
From: André Warnier [mailto:[EMAIL PROTECTED] > Let me ask you a few questions, so that I don't start an answer that would be > totally out of context : Andre, here are my answers: > a) Just to get and idea, how many users are we talking about, and is this a > small/medium/large corporation ? Potentially could be up to everyone who has an account - up to 1000 + - although not all at once - maybe 10-50 at a time > b) What is "outside" ? Are we talking "Internet Café", or people with a > company laptop connecting from another location in the company ? This site is available to staff both inside and outside the network, so they could access at the library, at their home, etc. Just need internet connection. > c) What kind of information is on that Apache server ? The information is primarily documents and news used internally, no finance or confidential info. It is for staff only and may in the future store this type of info. > d) do all users use the same browser ? Users may use Firefox, IE, etc. and their own computers - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Sspi login prompts - enable more than one
-Original Message- From: André Warnier [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 1:06 PM Subject: Re: [EMAIL PROTECTED] Sspi login prompts - enable more than one Gallardo, Lisa wrote: > I have sspi module enabled on website (windows 2003, apache 2.0) and > have googled to figure out how to get the login prompt to prompt at > least 3 times (if incorrect password submitted) but so far only get > one prompt and then error page of no access which freaks folks out. > Plus, they can't go back or refresh page because it's set in their cookies. > > Is there somewhere in the httpd.conf file I can set more than one > login prompt for the site? > To answer you second question first : I don't think so. This kind of thing is more likely due to the browser settings. But there is something else that bothers me above : When you use something like sspi, it is usually because you want the users browsers, in an Intranet that is also a Windows Domain, to be able to authenticate to the Apache webserver using their Windows Domain user-id (which is already known to the workstation at that point, since they have already logged in to the Windows Domain). In that context, when the login dialog even appears once in the browser, it is already an indication of a failure. It means that the (automatic) Windows authentication has failed, and that the browser is "falling back" to Basic authentication. And since the server will not accept this form of authentication, the browser login will *never* succeed. No matter how often the login dialog comes back. Now, assuming your users are in an Intranet and a Windows Domain, I would first check the configuration of the browsers, and particularly a checkbox somewhere (in IE) saying "Allow Windows Integrated Authentication". And if the browsers are not directly inside the Domain, then you may also want to add your webserver's hostname to the list of "trusted hosts". Try again then and let us know. Thank you so much Andre for your reply! When users are at work they do have IE set up as you stated above: the site is in the intranet security zone for automatic login and Allow Windows Integrated Authentication is checked. But when they are at home or away from the office they can also access by entering their user login and password. This is when the login prompts and it only prompts once then gives the error message if credentials are incorrect. It's set up like this in my config: AuthName "Password Required" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOmitDomain On require group domain\domainuser When outside the network is there a way to have apache use ldap instead? If this is uncommented will it work with sspi for outside the network? And will it prompt twice? ##MM_MOD_LDAP_AUTH #AuthName "Intranet Users Only" #AuthType Basic #LDAP_Debug On #LDAP_Server DOMAIN.local #LDAP_Port 389 #LDAP_Protocol_Version 3 #Base_DN "dc=DOMAIN,dc=local" #Bind_DN "CN=User,OU=Service Accounts,OU=Department,OU=Office,DC=DOMAIN,DC=local" #Bind_Pass "xxx" #UID_Attr sAMAccountName #require valid-user #require user #require roomnumber "123 Center Building" #require filter "(&(telephonenumber=1234)(roomnumber=123))" #Group_Attr member #require group "CN=User,OU=Groups,OU=Office" - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Sspi login prompts - enable more than one
I have sspi module enabled on website (windows 2003, apache 2.0) and have googled to figure out how to get the login prompt to prompt at least 3 times (if incorrect password submitted) but so far only get one prompt and then error page of no access which freaks folks out. Plus, they can't go back or refresh page because it's set in their cookies. Is there somewhere in the httpd.conf file I can set more than one login prompt for the site? Thanks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] SSPI second prompt
-Original Message- From: Stephen Wellington [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2008 10:36 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] SSPI second prompt On 9/4/08, Gallardo, Lisa <[EMAIL PROTECTED]> wrote: > Greetings, > I am using sspi to authenticate users against active directory. When > the site opens users get a login prompt but if they incorrectly enter > their login information they get the Authorization Required error and > can't refresh or go back to get the login again. They have to quit > the browser. Can I set up Apache so that it will give at least three > prompts? I'm using Windows 2003, apache 2.0.x. > Thank you. > Lisa As far as I know, the browser decides when to stop asking for login details - I've certainly had different experiences with each browser. Of course I might be talking rubbish - sorry I can't help more! Steve - Thanks for your reply Stephen. I'm wondering now if you are right, although I know I've been given another login prompt at other sites on IE/Firefox. IS this correct, that browsers control how many login prompts are presented to the user? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] RE: SSPI second prompt
Forgot to include what I've got in my httpd.conf for MOD_AUTH_SSPI: AuthName "Intranet Users Only" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIDomain DOMAIN require group domain\user -Original Message- Sent: Thursday, September 04, 2008 10:28 AM Subject: [EMAIL PROTECTED] SSPI second prompt Greetings, I am using sspi to authenticate users against active directory. When the site opens users get a login prompt but if they incorrectly enter their login information they get the Authorization Required error and can't refresh or go back to get the login again. They have to quit the browser. Can I set up Apache so that it will give at least three prompts? I'm using Windows 2003, apache 2.0.x. Thank you. Lisa - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] SSPI second prompt
Greetings, I am using sspi to authenticate users against active directory. When the site opens users get a login prompt but if they incorrectly enter their login information they get the Authorization Required error and can't refresh or go back to get the login again. They have to quit the browser. Can I set up Apache so that it will give at least three prompts? I'm using Windows 2003, apache 2.0.x. Thank you. Lisa - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] SSPI authentication allow for more than one try
Hi, Is there a way to make it so that sspi authentication on apache 2.0 (Windows 2003 box) will let you try logging in more than once without going to authentication failure error? Currently the following setup in my virtual directory only gives users one try to input username and password and if they do it incorrectly they get the error and can't retry without restarting the browser, clearing session. AuthName "SSPI" AuthType SSPI SSPIAuth On SSPIAuthoritative On #require valid-user #require user require group do-domainuser Thanks! - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Single Sign On via Windows Active Directory credentials
Hi, I'm using sspi_auth_module along with active directory for single sign on for those users already logged into our network with apache 2.x.x on Windows 2003 server. I'm not running IIS. From: Genesis X1 [mailto:[EMAIL PROTECTED] Sent: Thursday, December 28, 2006 5:00 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Single Sign On via Windows Active Directory credentials Is this a GUESS or are u sure abt it? On 12/27/06, Marc Boorshtein <[EMAIL PROTECTED]> wrote: mod_kerberos should give you SSO with an existing AD environment
[EMAIL PROTECTED] Configuring Apache 2.054 to automate authentication with Active Directory from within network
Greetings, I've been researching the best way to have Windows Integrated Authentication using Apache2, Active Directory and either mod_auth_sspi, mod_ntlm2, or if possible using a rewrite command to bypass the username/password popup if a user is already logged into our network. At the moment, I've been trying to use mod_auth_sspi since this seems to be the module most articles/postings refer to for Apache2 on a Windows 2003 box. I am unsure of how to get it working for groups if that's possible. It seems to authenticate with require valid-user but it still doesn't work to bypass the password dialog box even though I've already logged in. I've included the load module in httpd.conf as well. My virtual host directory looks like this: Options Indexes FollowSymLinks +IncludesNOEXEC AllowOverride All order allow,deny allow from all AddType text/html .shtml AddOutputFilter INCLUDES .shtml # # Configuration for mod_auth_sspi AuthType SSPI SSPIAuth On SSPIAuthoritative Off SSPIOfferBasic Off SSPIBasicPreferred Off require valid-user # group_attr member #require group do-domainuser SSPIDomain susd SSPIOmitDomain Off # End of mod_auth_sspi. If this doesn't work is there another way to include a rewrite rule that would bypass the password login if it was detected that the user has already logged in? Someone had mentioned rewrite but I never did come across an actual solution. I have gotten mm_mod_auth_ldap to work so it authenticates based on groups but I can't figure out how to get it integrated with Windows Authentication, which is why I started looking at the other modules. Many thanks for your help. lisa - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Mass virtual hosting - mod_vhost_alias, mod_rewrite or mod_vhost_dbi?
Hi all, I've set up Apache 2.055 with PHP5 and MySQL5 on Windows 2003. I've got LDAP working to authenticate against Active Directory. Now I'm at the stage where I need to set up virtual hosts for possibly up to 1000 users. I've been researching the best way to go about doing this and have come across the following methods/modules: mod_vhost_alias http://httpd.apache.org/docs/2.0/vhosts/mass.html mod_rewrite mod_vhost_dbi http://www.outoforder.cc/projects/apache/mod_vhost_dbi/ I really want to set this up correctly from the start because I know that once it's up it will be difficult to make changes once the server is live and open for our school webmasters. What are other people using and are there any straightforward/layman tutorials out there for implementing these? I've been going over the apache.org docs but I'm still a bit lost as to the best route to take. How do web hosts typically set up their Apache virtual hosts? Lisa - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Apache 2.0.55 on Win2003 crashes when attempting LDAP auth against AD
Dan, I got the following DLLs from Sun at http://www.sun.com/download/index.jsp?cat=Application%20Development&tab= 3#sdks and downloaded this package: Directory SDK for C 5.08. I then placed all the DLLs that were in the SDK LIB folder in the Apache modules folder. Lisa -Original Message- From: Dan Buettner [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 21, 2006 10:28 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache 2.0.55 on Win2003 crashes when attempting LDAP auth against AD Thanks Lisa. I see a note for the Windows binary version to install DLLs from a Sun package; I think I have got the right Sun package now. Do you recall details on which DLLs, and where you put them? Dan Gallardo, Lisa wrote: > Hi Dan, > I've got Windows 2003, Apache 2.0.55 and I'm using the ldap module > from > http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html > version 3.07. > > It connects to active directory just fine. > Lisa > > -Original Message- > From: Dan Buettner [mailto:[EMAIL PROTECTED] > Sent: Monday, June 19, 2006 7:04 AM > To: users@httpd.apache.org > Subject: Re: [EMAIL PROTECTED] Apache 2.0.55 on Win2003 crashes when > attempting LDAP auth against AD > > Thanks William - we use some 3rd party modules like php, python, > subversion. Not all of these are available as binaries for Windows & > Apache 2.2.2 yet. > > Anything else we might be able to do with 2.0.x ? > > Dan > > > William A. Rowe, Jr. wrote: >> Dan Buettner wrote: >>> I've got a Windows 2003 Server running Apache 2.0.55 and Active >>> Directory. I am attempting to to use Apache's mod_auth_ldap to >>> control access on a per-directory basis with .htaccess files, by >>> authenticating with LDAP against Active Directory. >> I can't even run 2.0 ldap without a host of extra backported > patches... >>> There are some notes in the release doc that 2.0.55 addressed some >>> issues with LDAP, but .56, .57 and .58 don't reference LDAP changes >>> at all. >> Grab Apache 2.2.2 - there's been major, major refactoring to get LDAP >> right, the sort of things that don't work out well for backporting to >> 2.0.x. >> >> >> - >> The official User-To-User support forum of the Apache HTTP Server > Project. >> See http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> " from the digest: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > - > The official User-To-User support forum of the Apache HTTP Server > Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Dan Buettner - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Apache 2.0.55 on Win2003 crashes when attempting LDAP auth against AD
Hi Dan, I've got Windows 2003, Apache 2.0.55 and I'm using the ldap module from http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html version 3.07. It connects to active directory just fine. Lisa -Original Message- From: Dan Buettner [mailto:[EMAIL PROTECTED] Sent: Monday, June 19, 2006 7:04 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache 2.0.55 on Win2003 crashes when attempting LDAP auth against AD Thanks William - we use some 3rd party modules like php, python, subversion. Not all of these are available as binaries for Windows & Apache 2.2.2 yet. Anything else we might be able to do with 2.0.x ? Dan William A. Rowe, Jr. wrote: > Dan Buettner wrote: >> >> I've got a Windows 2003 Server running Apache 2.0.55 and Active >> Directory. I am attempting to to use Apache's mod_auth_ldap to >> control access on a per-directory basis with .htaccess files, by >> authenticating with LDAP against Active Directory. > > I can't even run 2.0 ldap without a host of extra backported patches... > >> There are some notes in the release doc that 2.0.55 addressed some >> issues with LDAP, but .56, .57 and .58 don't reference LDAP changes >> at all. > > Grab Apache 2.2.2 - there's been major, major refactoring to get LDAP > right, the sort of things that don't work out well for backporting to > 2.0.x. > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] LDAP on Apache 2 or PHP?
Hi, I would like to connect to active directory using ldap. I'm a bit confused about the configuration though. If I use an apache module will this allow you to connect to AD in all applications or do you have to set it up for PHP, ASP as well? So you'd have it configured in Apache for straight html websites and for those driven by PHP/ASP you'd have it configured there too? THanks. Lisa
[EMAIL PROTECTED] Confused about installing mod_auth_ldap on W2003, Apache2058
Hi, I've been re-reading the following instructions http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache 2.html on installing mod_auth_ldap on our Windows 2003 server, no IIS, just Apache, PHP5 and MySQL5. This is where I get lost after downloading the following files: from mod_auth_ldap zip: modauthldap_apache2_dll/ modauthldap_apache2_dll/mod_auth_ldap.dll modauthldap_apache2_dll/README modauthldap_apache2_dll/cert7.db modauthldap_apache2_dll/key3.db modauthldap_apache2_dll/md5.txt from the Sun SDK 5.08 zip: etc (folder) examples (folder) include (folder) include-nspr (folder) lib (folder) tools (folder) license.txt readme.txt releasenotes.txt Do I now copy the entire modauthldap_apache2_dll folder to the Apache modules directory or just the .dll? And as for the .dll files in the SDK pack, do I just copy the .dll files from the lib folder or do I copy everything from the zipped download to the modules directory of Apache? Thanks Lisa - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]